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Digital rights mana gement uni t for a digital rights management system 

The present invention relates to a digital ri^ts management (DKM) user unit 
for interacting with DRM client units and DRM server units of a DRM system, said 
5 DRM client units storing digital data objects and said DRM server units issuing digital 
rights objects representing usage rights of associated digital data objects. 

The invention relates further to a DRM client unit, a DRM system and a DRM 
method. The application area of the invention is the distribution and the management of 
digital rights objects used for the representation of the permission of the use of digital 

10 data objects in digital rights managCTients systems. 

Digital Rights Management (DRM) is used in consumer devices and PCs, the 
DRM client units (often also called target systems), to restrict the use of digital data in 
order to safeguard the interests of the content owners. For instance, the ability to copy 
the digital data can be restricted or the number of times the digital data can be used can 

IS be limited In addition, other restrictions like expiration times of usage rights can be 
employed by DRM systems. DRM systems feature a wide variety of measures to 
prevent non-authorized use of digital data. One area of particular interest for the 
consumer electronics industry is the introduction of Digital Rights Objects (DRO) for 
digital data that is distributed electronically. The DRO is a digital file that represents the 

20 permission to use a specific Digital Data Object (DDO) and that contains all restrictions 
of the use of the DDO. 

The DRO is used by a DRM client in the DRM client units to apply the rules 
and limits that the content owner stipulates for the use of the DDO. The security of the 
system depends exceptionally on the trustworthiness of the DRM clients. A 

25 conventional DRM system sets up a relationship between a DRO and one particular 
DRM client so that the DDO that is associated with the DRO can only be used by one 
particular DRM client This represents a very severe restriction for the purchaser of the 
DRO: since the DRM client is located in one particular device (i.e. one particular DRM 
client unit or target system, such as one particular PC), the DRO can not be used with 

30 any other equipment 
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US 2001/0029S81 Al discloses a system for providing rights controlled access 
to digital media con^iprises a server data processor and a client data processor connected 
by a communications network. The user data processor provides access to a data object 
in accordance witihi rules associated with the data object by the server data processor. 
5 The client data processor comprises a machine key device and a user key device. The 
machine key device is preferably an installed component of the client data processor 
that provides encryption, decryption, and authentication functionality for the client data 
processor. The user key device is preferably a removable, portable device that connects 
to the client data processor and provides encryption, decryption, and authentication 

1 0 functionality for the user. A method restricts the use of a data object to a particular user 
and a particular data {processor through the use of additional layers of enoyption. The 
method preferably conqnises encrypting a data object such lhat tiie it can be decrypted 
by the machine key device, and further encrypting the data object such that it can be 
decrypted by the user key device. Another method refstricts the use of a data object to a 

1 S particular user and a particular data processor through the use of rules that require 
authentication of the machine key device and the user key device. 

It is thus an object of the present invention to provide ^propriate measures in 
20 a DRM system which overcome the above described limitation in known DRM systems 
where a DRO can only be used with one particular DRM client unit. 

This object is achieved according to the present invention by the introduction 
of a DRM user unit as claimed in claim 1 for interacting witih DRM client units and 
DRM server units of a DRM system, said DRM client units storing digital data objects 
25 and said DRM server units issuing digital rights objects representing usage rights of 
associated digital data objects, comprising: 

an autiientication unit for authentication of the DRM user unit to a DRM 
server unit and for autiientication of a DSM cli^t unit to the DRM user unit, and 
a rights storage unit for storing digital rights objects received from a 
30 DRM server unit, wherein said digital rights objects can be accessed by an authenticated 
DRM client unit to get usage rights for the usage of an associated digital data object 
stored on said DRM client imit 
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The invention is based on the idea to relocate the authentication of a DRM 
client to a unit that is possessed by an end user. This unit is called a DRM user unit. The 
fact that a user based unit is performing the authentication of the DRM client bears the 
advantage that now a digital rights objects is a personal license that can be used with 
5 more than one playback device / playback system while guaranteeing that no illegal 
copies in any form can be made of the purchased content A service provider may now 
implement his own specific software routines in the DRM user unit to authenticate the 
DRM client running on the DRM client unit of the user. 

According to the invention the DRM user unit is the keeper of the DROs that a 
1 0 particular user posses. By use of a handshake scheme between the DRM server of a 
supplier of DROs and the DRM user unit, the DRM user unit authenticates itself to the 
DRM server. Further, by use of another handshake scheme between the DRM user unit 
and the DRM client of a DRM client unit the DRM client authenticates to the DRM 
user unit 

1 5 Thus, DRM administration functionality is set-up in the DRM user unit, which 

is preferably a portable unit. The DRM user unit is a functional unit that represents a 
trasted and certified counterpart of a server application lliat issues digital rights objects. 
The DRM user unit is adapted for storing the DROs and for authenticating the DRM 
clients of DRM client units. On request, the DRM user unit enables a trustworthy DRM 

20 client to use the DDO that is associated with the DRO stored in the DRM user unit 
Before the DRM client is enabled to use the DDO, the DRM client preferabty has to 
successfully authenticate itself to the DRM user unit 

The DRM user unit is an extension of tibie DRM server application, while this 
extension is running in tiie domain of the consumer. The storage of the data and 

25 algorithms in tiie DRM user unit is preferably done in a secured IC. The secured IC is 
protected against unauthorized read-out and manipulation of the stored data and 
algorithms. Secured ICs that are suited for DRM user imits are e.g. smart card 
controller. 

The present invention also relates to a DRM client unit for use in a DRM 
30 system, as claimed in claim 8, comprising: 

a data storage unit for storing digital data objects, 

an authentication unit for authentication of tiie DRM client unit to a 
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DKM user imit, and 

a rights inter&ce for requesting access to a digital rights object 
associated with a digital data object stored in said data storage unit after authentication 
to a DKM user unit to get usage rights for the usage of said associated digital data 
5 object. 

Further, the present invention relates to a DKM system as claimed in claim 9, 
comprising: 

DKM client units for storing digital data objects, 
DKM server units for issuing digital rights objects representing usage 
1 0 rights of associated digital data objects, and 

DKM user units for interacting with said DKM client units and said DKM server 
units conqirising: 

an autiientication unit for authentication of the DKM user unit to a DKM 
server unit and for authentication of a DRM client unit to Ihe DKM user unit, and 
15 - a rights storage imit for storing digital rights objects received from a 

DKM server unit, wherein said digital rights objects can be accessed by an authenticated 
DKM client unit to get usage rights for the usage of an associated digital data object 
stored on said DKM client unit 

Still fimher, the present invention relates to a DKM method for use in a DKM 
20 ^tem, as claimed in claim 10, said method comprising the steps of: 

authentication of a DKM user unit to a DKM server unit, 
transfer of a requested digital rights object from said DKM server unit to 
said DKM user unit after successfiil authentication, 

authentication of a DKM client vmit to said DKM user unit, and 
25 - transfer of usage rig^its from said DRM user unit to said DKM client unit 

after successftil authentication for the usage of an associated digital data object stored 
on said DKM client unit 

Preferred embodiments of tiie invention are defined in the dependent claims. In 
a preferred embodiment the DKM user unit ftirther comprises a rights inter&ce unit for 
30 receiving digital rights objects from a DRM server unit to which ftie DKM user unit has 
authenticated and for granting usage rights for the use of a digital data object stored on 
an authenticated DRM client unit and associated with a digital rights object stored in 
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said lights storage unit In this embodiment, the DRM user unit is able to download and 
manage the DROs by itself. Specifically for the download and the management of the 
DROs the DRM user imit does not need to be connected to another device, for instance 
a DRM client unit, than could handle the input and output of DROs. However, in an 
5 alternative embodiment of the DRM user unit, no such rights interface is provided. 

In a another embodiment the DRM user unit further comprises a revocation list 
storage unit for storing a revocation list of DRM client units, said revocation list being 
checked by said authentication unit during authentication of a DRM client unit Thus, 
the DRM user unit can check during authentication of aDRM client unit if the DRM 

10 client is a valid client or not, and can restrict the access of particular or all DROs stored 
on the DRM client, if the DRM client is listed in the revocation list 

The data and algorit h ms in the DRM user unit can be updated during a 
connection between the DRM user unit and the DRM server of the service provider. 
This update procedure is preferably protected by cryptographic keys to ensure that only 

IS authorised instances are able to carry out changes of the data and algorithms of the 

DRM user unit If the DRM iiser unit is represented by a sinart card or uses a smart card 
IC as authentication unit, the additional smart card security measures ensure that no 
illicit access to the DRM user unit can be noiade. 

The DRM user unit can be implemented by any portable electronic unit that 

20 contains a secure storage unit and processing unit for authentication. Advantageous 
implementations are a smart card, a PCMCIA card or a mobile terminal, such as a 
mobile audio and/or video player, a mobile phone or a PDA. 

In addition, the DRM user xmit can also be configured to function with the 
same restrictions like the currently known DRM systems. In this case only a particular 

25 playback device, an assembty of functionally dependent playback devices or a limited 
number of playback devices or groins of functionally dependent playback devices can 
use the digital data object (DDO). Therefore, the digital rights objects include an access 
information which DRM client units shall get access to a digital rights objects, said 
accKS information being chected by the DRM user unit after authentication of a DRM 

30 client requesting access to said digital rights object The limited number of supported 
DRM clients can, for instance, be determined by the DRM server prior to issuing the 
DRO to the DRM user unit In this way the DRM system is flexible to support different 
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operation schemes as defined by the issuer of the digital rights objects. 

As an additional feature, backup copies of DROs can be supported. For this 
feature the DRM user unit can be formed as a unit that has an additional (portable) 
memory unit inserted. The core information of the main storage unit is backed up in the 
5 inserted memory unit In case the main memory of the DRM user unit is damaged, all 
information can still be retrieved firom the additional memory imit. The additional 
memory imit can be formed, e.g., by a smart card. While the information in the 
additional memory is sufficient to determine the rights in the DRM user unit, it is 
preferably not sufficient to set up a worldng second DRM user unit with the same 
10 rights. 

Jn case that backup copies of the DROs are present, the DRM system can be set 
up to allow the usage of aDRO in aDRM user unit only, if the memory unit that 
contains the copy of the DRO is present in the DRM user unit With this scheme, a 
backup copy of a DRO featuring internal states is possible. Intemal states in a DRO are 

15 used to implement, e.g., a limited number of uses of the DDO. 

Since the DRM user unit can be stored separately from the additional memory 
unit, this embodiment can also be used for the prevention of theft of the DROs. If one of 
the two units that store the DROs are stolen, that unit can not be used. The legitimate 
owner of the DRO did not transfer a DRO voluntarily and hence it is possible 1x> 

20 redistribute an initial DRO to tibie legitimate owner. 

DROs can be either transferable or non-transferable. A transferable DRO can 
be used with more Hian one DRM client The usage rights can optionally be restricted to 
a fixed set of DRM clients. In contrast, a non-transferable DRO can only be used with 
one specific DRM client Thus, according to an aspect of the invention, the digital rights 

25 objects include an transfer indicator indicating if a digital rights object is transferable to 
all DRM client units or not, and the authentication unit is adapted for authenticating the 
DRM client unit requesting access to a non-transferable digital rights object to the DRM 
server unit 

30 

The invention will now be explained in more detail wife reference to the 
drawings in which 
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Fig. 1 shows the layout of a DRM system according to the invention. 
Fig. 2 shows the interoperation of a DRM user unit and a DRM server unit, 
Fig- 3 shows the interoperation of a DRM user unit and a DRM client unit, 
Fig. 4 shows the layout of a DRM system according to the invention with a 
slightly different interoperation scheme, and 

Fig. S shows a flow-chart of a DRM method according to the invention. 



The currently known systems for a digital rights manag^ent feature three 

10 main functional entities: a DRM client in a DRM client unit at the customer side, a 
DRM server at a service provider, which issues the DROs and a content provider that 
issues the DDOs. The disadvantage of this system from the user perspective is that the 
DRO issued by the DRM server can be used only by one particular DRM client, and in 
the presently known systems that the DRM cHent is assigned to one particular electronic 

IS device or to a group of electronic devices that are functionally dependent on each other. 
In otiier words, it is an intrinsic feature of the presently known DRM systems, that the 
DRO that a customer purchases can not be used like a personal license to use the related 
content on the playback devices of choice. Hence, the content can only be played back 
on a fixed device, regardless who possess this device. The reason for this is to guarantee 

20 that each DRO represents exactly one permission to use the DDO. This guarantees that 
no "copies" in any form can be made of the purchased content To assure this, a DRM 
client is authenticated before a DRO is issued to Hxe DRM client The authentication of 
the DRM client includes the checking a revocation list that has registered devices that 
are reported broken or possibly.broken. Basedon the authentication data of the JDRM 

25 client and possible entries in the revocation list, a DRO is issued to the DRM client or 
the issuing of the DRO to the DRM client is denied. 

The system set-up of aDRM system featuring aDRM user unit as proposed by 
tiie iiresent invention is shown in Fig. 1 . The DRM system consists o£ 

• A DRM server unit 1 : this server manages and controls the transfer of digital 

30 rights objects into the user domain. The terms and conditions for the sale and use of the 
DROs are set by the content provider that owns the rights on the digital data objects. 
The content provider is not considered any fitrther in this document and is not shown in 
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the jSguie. The DKM server uses an aufhenticatioii algprifhm in an authentication unit 
1 1 to guarantee the identity of the receiver of DROs and a revocation list stored in a 
revocation list storage 12 to check Ihe integrity of the receiver of DROs. 

• A DRM user unit 2: this unit stores the DROs in the user domain in a rights 
5 storage unit 23 . On the basis of a DRO the DRM user unit 2 controls the use of a digital 

data object by the DRM client unit 3. For this purpose, the DRM user unit 2 contains an 
authentication unit 21 for processing an authentication algorithm and a revocation list 
storage 22. Both elements are provided and maintained by the operator of the DRM 
server unit 1. If a DRO is released into the user domain, this DRO is stored in the rights 
10 storage unit 23. 

• A DRM client unit 3: this unit runs aDRM client 31 and uses the DDOs 
stored in a data storage unit 32 on the basis of the associated DRO that is stored in the 
DRM user unit 2, In order to get a permission to use the DDO, the DRM client 3 1 has to 
authenticate itself to the DRM user unit 2 and has to access or request a DRO therefrom 

IS by use of a rights interface 33. 

The operation of the DRM system can be seen fiom Figs. 2 and 3. In Fig. 2 the transfer 
of a DRO from tibie DRM sever unit 1 to the DRM user unit 2 is shown. In order for the DRM 
user unit 2 to obtain a DRO and for the DRM server unit 1 to possibly update the authentication 
algorithm and the revocation list, a mutual authentication betv^een the DRM user unit 2 and the 

20 DRMserverunitl has to be traded out Especially fte DRM server unit 1 checks if the DRM 
user unit 2 is recorded in the revocation list stored in the revocation list storage 12. After a 
successful authentication, several actions are possible, such as grant of digital rights object, 
iqxlate of authentication algoritfam, or update of the revocation list stored in the revocation list 
storage 22 of the DRM user unit 2 . 

25 After the transactions between the DRM server unit 1 and the DRM user unit 

2, the DRM user unit 2 contains the current version of the authentication algorithm and 
revocation list and a valid set of digital rights objects. The use of a DRO is managed by 
the DRM user unit 2 autonomously. 

In Fig. 3 the use of a digital rights object is shown. The key functionality of the 

30 DRM user unit 2 is that it can grant the permission to use a specilBc DDO to different 
DRM client units 3, but preferably not to more than one at a time. As a first step the 
DRM client 31 of the DRM client unit 3 has to authenticate itself to the DRM user unit 
2. The DRM user unit 2 checks with e.g. a challenge-response handshake if the DRM 
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client 31 of the DRM client unit 3 is a valid client. In a next step the revocation list is 
checked whether the specific DRM client 3 1 is listed th^e. After a successftil 
authentication of the DRM client unit 3, a permission of the use of a DDO can be 
granted to the DRM client unit 3, depending on the restrictions and limitations of the 
5 DRO. 

An alternative qperation of the DRM system is required in the case that the 
digital rights objects are non-transferable. In this case the DRO is bound not only to a 
specific DRM user unit 3, but also to a specific DRM client 3 1 . The related operation 
scheme is depicted in Fig. 4. The difference to the scheme shown in Fig. 3 is that not 

10 only a mutual authentication ofthe DRM user unit 2 and the DRM server un^^ is 
required, but Ihat also the DRM client 3 1 of the DRM client unit 3 has to authenticate 
itself to the DRM server unit 1 through the DRM user unit 2. The use of the DRO that is 
issued afterwards by the DRM server unit 1 to the DRM user unit 2 is restricted to Hie 
one DRM client 31 that has authenticated itself successfully to the DRM server tmit 1. 

IS Further, an additional rights inter&ce 24 of the DRM user unit 2 is shown in 

Fig. 4 which serves for receiving digital rights objects firom the DRM server unit 1 to 
which the DRM user unit 2 has authenticated and for granting usa^ ri^ts for the use of 
a digital data object stored on an authenticated DRM client unit 3. 

A flow chart of an embodiment of a DRM method according to the invention 

20 for issuing of a DRO to a DRM client is illustrated in Fig. 5. In step S llfae DRM user 
unit 2 is issued to the consumer. In step S2 the consumer uses the DRM user unit 2 to 
issue a request for a DRO to a service provider, in particular to the DRM server unit 1 
of the service provider. The service provider checks the identity of the DRM user unit 2 
in step S3 and a revocation list in step S4. 

25 If the requested DRO is a transferable DRO, then it continues with step S8. In 

this step the decision is made whether or not the DRO is issued to the DRM user unit 2. 
If a negative decision is made, the scheme ends; in case a positive decision is made the 
scheme continues with step S9 where the DRO is transferred to the DRM user unit 2. 
In case that the requested DRO is non-transferable, the security level of the 

30 transaction is increased: The DRM user unit 2 has to provide one fixed identity of an 
DRM client 3 1 to the service provider. This identity of the DRM client 3 1 is checked by 
the service provider in the steps S6. In step S7 a revocation list is checked witii respect 
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to the DRM client 31. After the checks the decision is made whether the DRO is going 
to be submitted to the DRM user unit 2 and the DRM client unit 3 . Then the scheme 
continues in case of a positive decision with the step S9 and ends afterwards. 

The DRM user unit can be implemented by any portable electronic unit that 
5 contains a secure storage and a processing unit (for authentication) and, preferably, a 
suitable interi^e. Two instances of the DRM user unit are described here in more 
detail. 

The DRM user unit can be represented by a smart card In this case the DRM 
user unit does not have an own user inter&ce, so for any operation that requires a user 
1 0 interaction, the smart card has to be linked to a device that can handle the user I/O. 
. Prunarily there are three different devices that will be used as I^^ 
card that ftmctions as DRM user unit: 

1) The DRM client unit: In this case the DRM user unit gets Ihe user I/O 
throu^ the interfaces of the playback equipment The DRM user xmit may be used by 

15 the DRM client unit for e.g. the playback of a DDO, but also the user may download 
. additional digital ri^ts objects through the DRM client unit in case the DRM client unit 
has a suitable network connection. 

2) A mobile terminal: In this case the mobile terminal, e.g. a mobile phone, can 
provide all elements that are needed in addition to the smart card for a complete system 

20 in the user domain. The terminal has its own user inter&ce, a network connection for 
obtaining additional digital rights objects, and also a DRM client can be present in case 
the terminal can function as an output device for AA^ data. 

3) A stationary terminal at a prominent location like a concert hall, a library, a 
record shop, a filling station, a siq)eimarket or other places. This kind of terminal is 

25 employed by the user for the download of additional DRO. 

A smart card as a DRM user unit can interact with a terminal or the DRM 

client unit via a contact or a contactiess inter&ce. The DRM user unit can also be a 

PCMCIA Card containing a smart card controQer. In the PCMCIA card an additioiial 

small form &ctor smart card can be inserted. 
30 The DRM user imit can also be represented by a mobile tenninal. In this case 

the DRM user unit contains all necessary interfaces to download and manage the DRO. 

In addition, the mobile terminal can fimction as a DRM client unit, e.g. as a MP3 player 
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or an MPEG4 video playback device. The mobile terminal must contain a secure 
processing and storage unit in order to guarantee the integrity of the DKM system. The 
interfacing between the mobile terminal as the DRM user imit and a DRM client unit 
will preferably be a contactless inter&ce like e.g. ISO 14443 or NFC (near field 
S communication). 

The following usage scenarios outline the possible use of a DRM user unit 
mostly on the base of an NFC enabled mobile terminal. The handling of the DRO can 
be implemented on sroart cards as well, but Hie use of an NFC device brings additional 
functionality to the system. 

10 In a &st usage scenario the consumer goes to a record shop to buy records. In 

the store he enjoys a sample track of a particular recording of music. The consumer 
decides to buy this recording. Along with conventional CDs and SACDs the record 
store offers as well to buy digital ri^ts objects for the selected recordings. Since this 
option is offered at 2/3 of the price of the CD, the consumer chooses to get a DRO for 

IS the selected recording. The consumer goes to a terminal at the record store and puts his 
mobile phone based DKM user unit in the interaction area of the contactless reader of 
the terminal. The mobile phone and the terminal use their NFC inter&ces for the 
subsequent transactions. The consumer selects the desired recording and pays the DRO 
with the credit card applet that is also stored on his mobile terminal. In addition the 

20 consumer is ofifered to download a compressed version of the recording he just bought 
as a digital data object into his mobile phone at no additional cost The inter&ce for this 
download can be e.g. 802.1 1, FastNFC or USB. The DDO of the recording is protected 
and can only be used with a suitable DRO. At home the consumer downloads a larger 
file with a high definition version of the same recording. Both DDOs can be used with 

25 the same DRO. The consumer now possesses a transferable digital rights object .of tiie 
recording, sohecanenjoyitinacomgpressedversiononhismobilephoneas well asin 
a high quality representation on his stereo set at home. 

In a further usage scenario Ihe consumer watches a broadcast of an impressing 
concert at home. At the end of the performance Hxe broadcaster shows an advertisement, 

30 stating fliat for a very special price a non-transferable limited DRO of the performance 
with S presentation times can be purchased online. The consumer wants to take 
advantage of this special offer and connects his stereo system via the NFC inter&ce and 
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GSM coimection of his mobile phone to the DRM server of the provider. The DSM 
server authenticates both, the DRM user unit (mobile terminal) as well as the DRM 
client (stereo set). Alter the successful authentication and a payment via the VISA 
applet of the mobile phone, the DRO for the concert is transferred to the mobile phone. 
5 This particular DRO can be used only in conjunction with tiie specific stereo set (non- 
transferable DRO). 

In another usage scenario the consumer is on a business trip. His rental car is 
equipped with a generic cradle for mobile phones, this cradle also features an NFC 
inter&ce to the car stereo system. The consumer puts his mobile terminal into the cradle 

10 for a hands fi:ee operation of the phone and to enable the car stereo set to use the digital 
rights objects stored in his mobile phone. After selection of a particular recording the 
car stereo system retrieves the recording as a stream of compressed data fiom a network 
server. The car stereo system decompresses and plays back the music. The service to 
receive compressed DDOs fi-om a network server is part of the consumer's mobile 

1 5 phone subscriber package. 

During the business trip the consimier stays in a hotel room with a Pay-TV 
system. Fortunately the system features an open inter&ce to use personal subscriptions 
during the stay in the hotel. Knowing that, tiie consumer took his subscription card, the 
DRM user unit, for watehing a particular film along and can now watoh this filtn as he 

20 would do at home. 

In a ferther usage scenario the consumer wants to be able to playback a 
particular recordmg at realistic levels, but his current equipment is not capable of 
delivering this without distortions, so he decides to upgrade his system. The consumer 
goes to a shop for a test session, and after hearing some sample tracks he requests to 

25 hear a special recording. The shop does not own the recording, but by the use of the 
high speed connection of the shop, a high resolution DDO of the recording can be 
downloaded into the storage device of the equipment of tiie store. The particular DDO 
can be played back at the shop with the use of tiie DRM user unit that the consumar 



30 According to the present invention the authentication of a DRM client is 

relocated to the DRM user imit that is possessed by an end user. This has the advantage 
that now a digital rights objects is a personal license tiiat can be used with more than 
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one playback device / playback system while guaianteeing that no illegal copies in any 
form can be made of the pm-chased content A service provider may now implement his 
own specific software routines in the DRM usct unit to authenticate the DKM cUent 
running on the DKM client unit of the user. 
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CLAIMS 

1 . Digital rights management (DRM) user unit for interacting with DKM client 
units (3) and DRM server units (1) of a DKM system, said DRM client units (3) storing 
digital data objects (DDO) and said DRM server units (1) issuing digital rights objects 
(DRO) representing usage rights of associated digital data objects, comprising: 

5 - an authentication unit (21) for authentication of the DRM user imit (2) to 

a DRM server unit (1) and for authentication of a DRM client unit (1) to the DRM user 
unit (2), and 

a rights storage unit (22) for staring digital ri^ts objects received from a 
DRM server unit (1), wherein said digital rigjhts objects can be accessed by an 
10 authenticated DRM client unit (3) to get usage ri^ts for the usage of an associated 
digital data object stored on said DRM client unit (3). 

2. DRM user unit as claimed in claim 1, 
further comprising: 

a rights interface unit (24) for receiving digital rights objects from a DRM server 
15 unit (1) to which the DRM user inrit (2) has authenticated and for granting usage rights 
for the use of a digital data object stored on an authenticated DRM client unit (3) and 
associated with a digital rights object stored in said rights storage unit (23). 

3. DRM user unit as claimed in claim 1, 
further conorprising: 

20 - a revocation list storage unit (22) fi>r storing a revocation list of DRM client 
units (3), said revocation list being checked by said authentication unit (21) during 
authentication of a DRM client unit (3). 

4. DRM user unit as claimed in claim 1, 

wherein said DRM user imit (2) is a portable electronic device, in particular a smart 
25 card, a PCMCIA card or a mobile terminal, such as a mobile audio and/or video player, 
a mobile phone or a PDA. 

5. DRM user unit as claimed in claim 1, 
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wherein said digital rights objects include an access information which DSM 
client units (3) shall get access to a digital rights objects, said acc^s information being 
checked by the DRM user unit (2) after authentication of a DRM client (31) requesting 
access to said digital rights object. 
5 6. DRM user unit as claimed in claim 1, 

fiirther comprising: 

a portable memory unit for storing at least part of the digital rights objects or a 
copy of the digital rights objects stored in said rights storage unit (23), the presence of 
said portable memory unit being checked before an access to digital rights objects is 
10 granted. 

7. DRM user unit as claimed in claim 1, 

wherein said digital rights objects include an transfer indicator indicating if a digital 
rights object is transferable to all DRM client units (3) or not, and 
wherein said authentication unit is adapted for authenticating the DRM client imit (3) 
15 requesting access to a non-transferable digital rights object to the DRM server imit (1). 

8. Digital rights management (DRM) client unit for use in a DRM system, said 
DRM system comprising DRM server units (1) issuing digital rights objects CDRO) 
representing usage rights of associated digital data objects (DDO) and DRM user units 
(2) for interacting with said DRM client units (3) and said DRM server units (1), 

20 comprising: 

a data storage unit (32) for storing digital data objects, 
an authentication unit (31) for authentication of the DRM client unit (3) to a 
DRM user unit (2), and 

a rights interfece (33) for requesting access to a digital rights object associated 
25 with a digital data object stored in said data storage vmit after authentication to a DRM 
user unit to get usage rights for the usage of said associated digital data object. 

9. Digital rig^ls management (DRM) syst^ con^rising: 
DRM client units (3) for storing digital data objects (DDO), 

DRM server units (1) for issuing digital rigfhts objects (DRO) representing usage 
30 rights of associated digital data objects, and 

DRM user units (2) for interacting witii said DRM client units (3) and said DRM 
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server units (1) comprising: 

an authentication unit (21) for authentication of flie DRM user unit (2) to a 
DKM server unit and for authentication of a DRM client unit (3) to the DRM user unit 
(2), and 

5 - a rights storage unit (22) for storing digital rights objects received from a DRM 
server unit (1), wherein said digital rights objects can be accessed by an authenticated 
DRM client unit (3) to get usage rights for the usage of an associated digital data object 
stored on said DRM client unit (3). 

10. Digital ri^ts management (DRM) method for use in a DRM system, said 
10 DRM system comprising DRM client units (3) for storing digital data objects (DDO), 
DRM server units (1) for issuing digital rights objects (DRO) representing usage rights 
of associated digital data objects and DRM user units (2) for interacting with said DRM 
client units (3) and said DRM server units (1), said method conq>rismg the steps of: 
authentication of a DRM user unit (2) to a DRM server unit (1), 
IS - transfer of a requested digital rights object fix>m said DRM server unit (1) to said 
DRM user unit (2) after successful authentication, 

authentication of a DRM client unit (3) to said DRM user unit (2), and 
transfer of usage rights fix>m said DRM user unit (2) to said DRM client unit (3) - 
after successful authentication for the usage of an associated digital data object stored - 
20 on said DRM client unit (3). 
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ABSTEIACT 

Digital rights maBagetnent unit for a distal rights management system 

The present invention relates to a DRM user unit (2) for interacting with DRM 
client units (3) and DEM server units (1) of a DRM system, said DRM client units (3) 
S storing digital data objects (DDO) and said DRM server units (1) issuing digital rights 
objects (DRO) representing usage rights of associated digital data objects, said DRM 
user unit (2) comprising an authentication unit (21) and a rights storage unit (22) for Ifae 
storage of said digital rights objects. According to the invention the authentication of a 
DRM client (31) is relocated to the DRM user unit (2) that is possessed by an end user. 

10 This has the advantage that now a digital rights objects is a personal license that can be 
used with more than one playback device / playback system while guaranteeing that no 
illegal copies in any form can be made of the purchased content. A service provider may 
now implement his own specific soflware routines in the DRM user unit (2) to 
authenticate the DRM client (31) running on the DRM client unit (3) of the user. 

15 (Fig. 4) 
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